Re: conflicts-based solution (was Re: security in testing)
On Thu, May 15, 2003 at 09:03:06PM +1000, Anthony Towns wrote:
> On Thu, May 15, 2003 at 08:09:48AM +0200, Sven Luther wrote:
> > On Thu, May 15, 2003 at 01:13:19PM +1000, Anthony Towns wrote:
> > > On Wed, May 14, 2003 at 07:12:15PM -0400, Joey Hess wrote:
> > > > Take the harden package, or create something similar: a package that
> > > > conflicts with all versions of packages with known security holes.
> > > Why not just /fix/ the holes? Is uploading a package with a well known
> > > patch _really_ that hard?
> > The fact is, we don't have a security architecture, or even autobuilders
> > for testing,
>
> Uh, actually, we have both these things. We've had them for almost a year
> now, although they haven't been used.
They're testing-proposed-updates is documented in Section 5.5.2 of the
Developer's Reference, but it says that they should only be used in
case of a freeze.
"You should not upload to testing-proposed-updates when you can update
your packages through unstable." is also a prominent quote from that
section. Nothing specifying security updates, although it does discuss
that these updates require manual intervention. Maybe a specific
reference to managing security updates to testing in this section would
be helpful? It'd finally put it down somewhere where people can point
to, and maybe cut a few of these debates a little shorter.
- David Nusinow (going to file a wishlist bug for this)
Reply to: